Catalog source of the Cert Manager fails to connect in a restricted networking policy environment
Symptoms
The following error message is shown in the error log of PackageServer
operator in the openshift-operator-lifecycle-manager
namespace:
W1215 02:55:18.581552 1 clientconn.go:1331] [core] grpc: addrConn.createTransport failed to connect to {ibm-cert-manager-catalog.ibm-cert-manager.svc:50051 ibm-cert-manager-catalog.ibm-cert-manager.svc:50051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 172.30.58.13:50051: i/o timeout". Reconnecting...
Cause
The connections between the openshift-operator-lifecyele-manager
and ibm-cert-manager
namespaces are blocked in a restricted networking policy environment. The Cert Manager operator in the openshift-operator-lifecyele-manager
namespace cannot connect with ibm-cert-manager-catalog
in the ibm-cert-manager
namespace.
Resolving the problem
To resolve the issue, apply the following network policy in the namespace that deploys the singleton service catalog such as ibm-cert-manager
or ibm-licensing
:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-from-openshift-operator-lifecyele-manager
namespace: ibm-licensing/ibm-cert-manager/<your foundational service operator namespace>
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-operator-lifecycle-manager
policyTypes:
- Ingress